Horilla Remote Code Execution Vulnerability in Project Bulk Archive Feature

A remote code execution vulnerability has been identified in Horilla version 1.3.0, an open-source Human Resource Management System. This vulnerability arises from the unsafe use of Python's eval() function, which is applied to a user-controlled query parameter in the project_bulk_archive view. As a result, authenticated users with administrative privileges can execute arbitrary system commands on the server. While exploitation is easier with Django's DEBUG mode enabled, it is also possible in DEBUG=False by using blind payloads, such as a reverse shell, leading to full remote code execution.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary commands on the server, potentially leading to a complete takeover of the host system.

Reproduction

To reproduce this vulnerability, an authenticated user with project archiving privileges must first create a project. Then, the user can trigger the bulk archive operation by sending a POST request to the project-bulk-archive endpoint with a crafted 'is_active' query parameter that includes a malicious payload. If Django's DEBUG mode is enabled, the output of the executed command will be visible in the response. In DEBUG=False, a blind payload can be used to achieve the same result without returning output.

Remediation

Users can upgrade to Horilla version 1.3.1, where this vulnerability has been patched.